Lost Data Tapes Likely To Be Costly for Citi

Expenses include customer outreach and remediation, legal defense, and new storage architectures.

CitiFinancial, a consumer lending division of Citigroup (New York, $1.49 trillion in assets), revealed in early June that computer tapes containing the personal information of 3.9 million customers were lost in transit by shipping and logistics provider UPS (Atlanta). As with the Bank of America incident announced in February, in which information about 1.2 million federal employees was also lost in transit, the data on the lost CitiFinancial tapes was un-encrypted.

Citigroup says that it will no longer ship un-encrypted tapes using couriers. "Beginning in July, this data will be sent electronically in encrypted form," said Kevin Kessinger, executive vice president of Citigroup's Global Consumer Group and president of consumer finance North America, in a statement.

By switching to encrypted electronic transfers, CitiFinancial can mitigate both the risk that someone can capture the data in transit, as well as the risk that it can be read if captured. Had the data been encrypted, CitiFinancial would not have had to notify the public under either the Gramm-Leach-Bliley Act or California's Security Breach law (SB 1386), observes Barbara Nelson, president and CEO of NeoScale Systems (Milpitas, Calif.), a provider of enterprise storage security products.

Costly Mistake

As it stands, however, the incident will cost Citigroup significant money to remedy, starting with the need to assuage affected customers. "The average cost of notifying a customer of a breach is anywhere from $30 to $50 per customer. Then, the monitoring of credit records is an additional $25," relates Maureen Kelly, director of product marketing for security technology firm Vontu (San Francisco).

Citi - and other banks - could go even further toward making the customer feel safe - and that's not a bad idea, notes Vytas Kisielius, president of communications solutions provider Adeptra (Norwalk, Conn.). Kisielius compares the current public relations opportunity to Johnson & Johnson's handling of the Tylenol poisonings in 1982. When consumers no longer trusted its product, J&J responded with tamper-resistant packaging. "They made their customers feel completely safe and secure in their relationship that they had with the company," says Kisielius.

But the cost of reaching out to customers can pale in comparison to the legal costs involved with responding to class-action lawsuits. "You're talking six figures to read the complaint, seven figures before you get to a court," asserts Kevin Kalinich, national managing director for technology and professional risks, of Aon's (Chicago) Technology and Telecommunications Group. Aon offers extensions of "errors and omissions" insurance that cover both indemnification and defense costs of third-party claims or losses due to litigation.

The litigation expenses would kick in even if the defendant has a solid defense. "It'd be very hard for anyone to prevail on a lawsuit, unless they could prove actual harm and they could show it traces back to this security breach," notes Fred H. Cate, director of the Indiana University Center for Applied Cybersecurity Research.

But, "The greatest single cost is in the press disclosure," continues Cate. "Do people think less of Citibank, or, if you're a Citibank customer, are you going to be more likely to move [to another bank] now?"